mirror of
https://github.com/django/django.git
synced 2025-01-03 06:55:47 +00:00
Fixed #28017 -- Allowed customizing PasswordResetTokenGenerator's secret.
This commit is contained in:
parent
2cbb095bec
commit
c930c241f8
@ -11,6 +11,7 @@ class PasswordResetTokenGenerator:
|
|||||||
reset mechanism.
|
reset mechanism.
|
||||||
"""
|
"""
|
||||||
key_salt = "django.contrib.auth.tokens.PasswordResetTokenGenerator"
|
key_salt = "django.contrib.auth.tokens.PasswordResetTokenGenerator"
|
||||||
|
secret = settings.SECRET_KEY
|
||||||
|
|
||||||
def make_token(self, user):
|
def make_token(self, user):
|
||||||
"""
|
"""
|
||||||
@ -61,6 +62,7 @@ class PasswordResetTokenGenerator:
|
|||||||
hash = salted_hmac(
|
hash = salted_hmac(
|
||||||
self.key_salt,
|
self.key_salt,
|
||||||
self._make_hash_value(user, timestamp),
|
self._make_hash_value(user, timestamp),
|
||||||
|
secret=self.secret,
|
||||||
).hexdigest()[::2]
|
).hexdigest()[::2]
|
||||||
return "%s-%s" % (ts_b36, hash)
|
return "%s-%s" % (ts_b36, hash)
|
||||||
|
|
||||||
|
@ -55,3 +55,24 @@ class TokenGeneratorTest(TestCase):
|
|||||||
tk1 = p0.make_token(user)
|
tk1 = p0.make_token(user)
|
||||||
self.assertIs(p0.check_token(None, tk1), False)
|
self.assertIs(p0.check_token(None, tk1), False)
|
||||||
self.assertIs(p0.check_token(user, None), False)
|
self.assertIs(p0.check_token(user, None), False)
|
||||||
|
|
||||||
|
def test_token_with_different_secret(self):
|
||||||
|
"""
|
||||||
|
A valid token can be created with a secret other than SECRET_KEY by
|
||||||
|
using the PasswordResetTokenGenerator.secret attribute.
|
||||||
|
"""
|
||||||
|
user = User.objects.create_user('tokentestuser', 'test2@example.com', 'testpw')
|
||||||
|
new_secret = 'abcdefghijkl'
|
||||||
|
# Create and check a token with a different secret.
|
||||||
|
p0 = PasswordResetTokenGenerator()
|
||||||
|
p0.secret = new_secret
|
||||||
|
tk0 = p0.make_token(user)
|
||||||
|
self.assertTrue(p0.check_token(user, tk0))
|
||||||
|
# Create and check a token with the default secret.
|
||||||
|
p1 = PasswordResetTokenGenerator()
|
||||||
|
self.assertEqual(p1.secret, settings.SECRET_KEY)
|
||||||
|
self.assertNotEqual(p1.secret, new_secret)
|
||||||
|
tk1 = p1.make_token(user)
|
||||||
|
# Tokens created with a different secret don't validate.
|
||||||
|
self.assertFalse(p0.check_token(user, tk1))
|
||||||
|
self.assertFalse(p1.check_token(user, tk0))
|
||||||
|
Loading…
Reference in New Issue
Block a user